The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2020-01-23 03:53:39 +0000
committer	tb <>	2020-01-23 03:53:39 +0000
commit	d074b68b31fc121e4b52ff0c09efcf6d853b383d (patch)
tree	4d9d69b009f469def034872876e1caec106f28a1 /src/lib/libssl
parent	71c7229e77572c3e0f8daf1980a554f126e7ba5d (diff)
download	openbsd-d074b68b31fc121e4b52ff0c09efcf6d853b383d.tar.gz openbsd-d074b68b31fc121e4b52ff0c09efcf6d853b383d.tar.bz2 openbsd-d074b68b31fc121e4b52ff0c09efcf6d853b383d.zip

The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find

CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)

Diffstat (limited to 'src/lib/libssl')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: